#ifndef SMPFUNCTION_H
#define SMPFUNCTION_H 1
// SMPFunction.h
//
// This header defines the interfaces needed for analyzing functions, performing live variable analysis,
// putting code into SSA form, etc.
#include <utility>
#include <list>
#include <vector>
#include <map>
#include <set>
#include <cstddef>
#include <pro.h>
#include <ida.hpp>
#include <ua.hpp>
#include "SMPDataFlowAnalysis.h"
#include "SMPInstr.h"
#include "SMPBasicBlock.h"
#include "ProfilerInformation.h"
using namespace std;
// Use IDA info for switch tables to link indirect jumps to successor blocks?
#define SMP_USE_SWITCH_TABLE_INFO 1
struct LocalVar {
char VarName[MAXSTR];
long offset;
size_t size;
};
// Entry for each byte address in the stack frame
struct StackFrameEntry {
struct LocalVar *VarPtr; // LocalVar that includes this offset
long offset; // offset relative to incoming stack pointer
bool Read; // was this entry ever read by an instruction?
bool Written; // was this entry ever written by an instruction?
bool AddressTaken; // did this entry have its address taken?
bool ESPRelativeAccess; // ever accessed by ESP+const?
bool EBPRelativeAccess; // ever accessed by EBP-const? (only if UseFP)
};
enum FuncType {
FUNC_UNKNOWN = 0,
FUNC_SAFE = 1,
FUNC_UNSAFE = 2
};
// Class encapsulating all that the SMP static analyzer cares to know
// about a function.
class SMPFunction {
public:
// Constructors
SMPFunction(func_t *Info); // Default constructor
// Get methods
inline const char *GetFuncName(void) const { return FuncName; };
inline long GetTypedDefs(void) const { return TypedDefs; };
inline long GetUntypedDefs(void) const { return UntypedDefs; };
inline long GetTypedPhiDefs(void) const { return TypedPhiDefs; };
inline long GetUntypedPhiDefs(void) const { return UntypedPhiDefs; };
inline set<op_t, LessOp>::iterator GetFirstGlobalName(void) { return GlobalNames.begin(); };
inline set<op_t, LessOp>::iterator GetLastGlobalName(void) { return GlobalNames.end(); };
inline size_t NumGlobalNames(void) { return GlobalNames.size(); };
inline set<op_t, LessOp>::iterator FindGlobalName(op_t SearchOp) { return GlobalNames.find(SearchOp); };
inline FuncType GetReturnAddressStatus(void) const { return ReturnAddrStatus;}
inline const ea_t GetStartAddr() const { return FuncInfo.startEA; }; // exposing the start address of the function. Used in RecurseAndMark
inline const vector<ea_t> GetCallTargets() const { return DirectCallTargets; };
// Set methods
inline void IncTypedPhiDefs(void) { ++TypedPhiDefs; return; };
inline void IncUntypedPhiDefs(void) { ++UntypedPhiDefs; return; };
inline void DecTypedPhiDefs(void) { --TypedPhiDefs; return; };
inline void DecUntypedPhiDefs(void) { --UntypedPhiDefs; return; };
inline void SetReturnAddressStatus(FuncType funcType) {ReturnAddrStatus = funcType;}
// Query methods
inline bool HasIndirectCalls(void) const { return IndirectCalls; };
inline bool HasIndirectJumps(void) const { return IndirectJumps; };
inline bool HasUnresolvedIndirectJumps(void) const { return UnresolvedIndirectJumps; };
inline bool HasSharedChunks(void) const { return SharedChunks; };
inline bool HasGoodRTLs(void) const { return BuiltRTLs; };
inline bool IsLeaf(void) const { return (!IndirectCalls && DirectCallTargets.empty()); };
inline bool IsGlobalName(op_t RefOp) const { return (GlobalNames.end() != GlobalNames.find(RefOp)); };
inline bool UsesFramePointer(void) const { return UseFP; };
// Printing methods
void Dump(void); // debug dump
// Analysis methods
void ResetProcessedBlocks(void); // Set Processed flag to false in all blocks
void Analyze(void); // Analyze all instructions in function
void EmitAnnotations(FILE *AnnotFile);
void RPONumberBlocks(void);
void SetLinks(void); // Link basic blocks and map instructions to blocks
void LiveVariableAnalysis(void); // Perform Live Variable Analysis across all blocks
void ComputeSSA(void); // Compute SSA form data structures
void InferTypes(void); // Determine NUMERIC, POINTER, etc. for all operands
SMPOperandType InferGlobalDefType(op_t RefOp, int SSANum, SMPBasicBlock *DefBlock, bool CallInst);
// Can DEF type be inferred from all USEs?
// IsSpeculative accesor/mutators
bool GetIsSpeculative() { return IsSpeculative; }
void SetIsSpeculative(bool IsS) { IsSpeculative=IsS; }
void ApplyProfilerInformation(ProfilerInformation* pi);
private:
// Data
func_t FuncInfo;
char FuncName[MAXSTR];
int BlockCount; // number of basic blocks in the function
bool UseFP; // Does function use a frame pointer?
bool StaticFunc; // Is function declared static?
bool IndirectCalls; // Does function make indirect calls?
bool IndirectJumps; // Does function make indirect jumps?
bool UnresolvedIndirectJumps; // Jumps could not all be linked to targets
bool SharedChunks; // Does function share a tail chunk with other functions?
bool CallsAlloca; // Does function allocate stack space after initial allocation?
bool AnalyzedSP; // Were stack pointer change points successfully analyzed?
bool BuiltRTLs; // Were RTLs built succcessfully for all instructions?
long TypedDefs; // How many DEFs in instructions were not UNINIT type after InferTypes()
long UntypedDefs; // How many DEFs in instructions are UNINIT type after InferTypes()
long TypedPhiDefs;
long UntypedPhiDefs;
size_t Size; // Function size in code bytes
asize_t LocalVarsSize; // size of local vars region of stack frame
ushort CalleeSavedRegsSize; // stack size of callee pushed regs
int RetAddrSize; // size of return address on stack (4 for most machines)
asize_t IncomingArgsSize; // size of incoming args on stack
size_t OutgoingArgsSize; // portion of LocalVarsSize that is really outgoing args space
ea_t LocalVarsAllocInstr; // address of instr that allocates stack frame
ea_t LocalVarsDeallocInstr; // address of epilogue instr that deallocs frame
adiff_t AllocPointDelta; // IDA sp_delta AFTER stack frame allocation instruction
sval_t MinStackDelta; // smallest (negative) value that stack pointer reaches, relative
// to the value it has at the entry point of the function
list<SMPInstr> Instrs;
list<SMPBasicBlock> Blocks;
vector<ea_t> DirectCallTargets; // addresses called directly
map<ea_t, list<SMPBasicBlock>::iterator> InstBlockMap;
vector<list<SMPBasicBlock>::iterator> RPOBlocks;
vector<int> IDom; // Immediate dominators, indexed and valued by block RPO numbers
vector<pair<int, list<int> > > DomTree; // Dominator tree, as parent # and list of children
set<op_t, LessOp> GlobalNames; // operands used in more than one block; needed in SSA
vector<list<int> > BlocksDefinedIn; // What blocks DEF each GlobalName; index = op # in GlobalNames
vector<int> SSACounter; // SSA subscript #, indexed by GlobalNames op #
vector<list<int> > SSAStack; // SSA stack of most recent SSA number, indexed by global #
vector<struct LocalVar> LocalVarTable; // offset-sorted list of local vars / outgoing args
adiff_t LocalVarOffsetLimit; // upper bound on stack-relative offsets
vector<struct StackFrameEntry> StackFrameMap; // memory map of every byte on stack frame
FuncType ReturnAddrStatus; // Marked true if the return address is safe from being overwritten
void MarkFunctionSafe(); // Does analysis to see if the function can be marked safe
bool IsSpeculative; // Have we started the speculative portion of the analysis for this function.
// Methods
void SetStackFrameInfo(void);
ea_t FindAllocPoint(asize_t); // Deal with difficult to find stack frame allocations
bool MDFixFrameInfo(void); // Redefine stack regions for our needs
bool MDFixUseFP(void); // Fix IDA errors affecting UseFP
void BuildLocalVarTable(void); // Determine local variable boundaries on the stack
void SemiNaiveLocalVarID(void); // Semi-naive algorithm for local var boundaries ID
void FindOutgoingArgsSize(void); // Find portion of local frame that is outgoing args
bool MDGetStackOffsetAndSize(op_t TempOp, sval_t sp_delta, ea_t &offset, size_t &DataSize,
bool &FP); // Find any stack memory access in TempOp, return offset, size, and whether
// the Frame Pointer was used.
bool FindAlloca(void); // true if found evidence of alloca() allocations
void EmitStackFrameAnnotations(FILE *AnnotFile, list<SMPInstr>::iterator Instr);
void ComputeIDoms(void); // Compute immediate dominators of all blocks into IDom[]
int IntersectDoms(int, int) const; // Find Dom intersection (as IDom[] index) for 2 blocks
void ComputeDomFrontiers(void); // Compute dominance frontiers for all blocks
void ComputeGlobalNames(void); // Compute the GlobalNames set
void ComputeBlocksDefinedIn(void); // Compute the BlocksDefinedIn vector
void InsertPhiFunctions(void); // Insert SSA phi functions at top of each basic block
void BuildDominatorTree(void); // Build the DomTree structure
int SSANewNumber(size_t GlobNameIndex); // SSA helper: increment and return SSA number
void SSARename(int BlockNumber); // SSA main helper: rename throughout block
void SSARenumber(void); // Renumber SSA subscripts for all names
bool ConditionalTypePropagation(void); // Apply SCC algorithm to unresolved Phi DEFs
}; // end class SMPFunction
#endif